Esta vulnerabilidade e real, explorada ou apenas ruido?
Cole um pacote, CVE ou preocupacao de seguranca. Provamos, explicamos e mostramos a correcao.
Aceita: nomes de pacotes, pacote@versão, IDs de CVE, IDs de CWE, URLs npm/PyPI
Alertas de Segurança ao Vivo
Ver tudo →size_delta=2368% from previous version (+14461KB, blast_radius=1,496)
Manifest repository URL points at a popular package's repo but this package's name differs — impersonation
Install hook + shell exec + network — dropper shape (scopes may be install or runtime; install hook can transitively reach runtime caps via the postinstall entrypoint)
Namespace-coordinated publish burst with install-time entry point
Namespace-coordinated publish burst with install-time entry point
Vulnerabilidades Notaveis
Updated 5m agon8n Vulnerable to Remote Code Execution via Expression Injection
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
MindsDB: Path Traversal in /api/files Leading to Remote Code Execution
Langflow has Remote Code Execution in CSV Agent
Principais Fraquezas Detectadas
Ver tudo →Exposure of Sensitive Information to an Unauthorized Actor
Improper Input Validation
Use of Hard-coded Credentials
Improper Control of Generation of Code ('Code Injection')
Execution with Unnecessary Privileges
Permissive Cross-domain Policy with Untrusted Domains
Uncontrolled Resource Consumption
Authorization Bypass Through User-Controlled Key
Status de Seguranca do Pacote
Escaneie do seu terminal
Execute o Shoulder localmente para analisar pacotes antes de instalá-los, ou escaneie todo o seu projeto em busca de vulnerabilidades.
npx @shoulderdev/cli check <package>
npx @shoulderdev/cli trust .